Worries about application access have been floating in the Twitter streams of late. Many have voiced concerns about privacy breaches by applications that log users in to Twitter or access their account.

Turns out, those fears are well founded. The Twitter API can be exploited quite easily and let anyone gain access to your Direct Messages.

Using WordPress to Access Direct Messages

For the sake of simplicity, I’m using WordPress to demonstrate accessing Direct Message information.

The Twitter API allows developers access to lots of neat information. You can send messages, update statuses, and do whatever you so please. Sure, there are some permission settings available for developers (read vs. read/write), but few users read this stuff anyway.

Before we go further, apologies to Shannon Whitley for butchering your WordPress plug-in (Twit Connect) and making an example of it. Whitley has developed a simple plug-in for WordPress that bridges authentication between your blog and Twitter, allowing Twitter users to sign in using their existing credentials. This is similar to the comment structure on Search Engine Watch, which I’m sure many of you have used already.

Once you install the plug-in, 90 percent of the work is done. The first thing you’ll need to do is register your application with Twitter, which can be done here. You’ll be asked for some basic information and you’ll then be giving credentials which you will need to fill out in the Twit Connect settings panel.

The next step is to look into the Twitter API for Direct Message access. This can be found here.

From this we can see a number of options here, we have a number of output return options and options for limiting the number of messages retrieved. To make it simple, we’ll grab the latest 200 messages from a Twitter user’s inbox.

This simply retrieves the latest 200 direct messages and stores them in a variable — not much use right now, but let’s say you wanted a dump of everyone’s private inbox every time they logged in to your WordPress site. Well, you can simply e-mail the data back to yourself.

Done! Now every time someone logs into your WordPress website to post a comment, using their Twitter account for authentication, 200 personal messages hidden inside their Twitter inbox are getting e-mailed to you.

So What Good is This?

Personally, I don’t care to read direct messages. However, I can see it being useful for list harvesting.

You could take this and extend the idea further, by scouring page by page their inbox and reading each message, looking for e-mail addresses. This is quite simple to do.

This is probably the most useful strategy for this information, as most people want to take conversations to e-mail or chat after two or three tweets. So e-mail list harvesting should be plentiful.

The next step: just get your “application” heavily utilized. Or force integration into your heavy traffic WordPress blog.

Simple solution: don’t let applications you don’t completely trust log you in. Average users really don’t know what they’re doing and it’s really easy to automatically hit the big “accept” buttons online or during a software installation. But in this case it could be the equivalent of hitting “install” on a spyware application.

To be fair, even the geeks do it. How many of you actually read the terms and conditions to the last application you installed, or website you signed up to?

Bottom line: Be aware of what you’re granting access to, whether it’s on Twitter, Facebook, or any other site. Be smart about what sites you give access to, or else your private data will no longer be private.

This week, both LinkedIn and Facebook are beefing up their paid social offerings in different ways, while Google seeks to cut off Adwords revenues for fake news sites. And might Google be favouring desktop over its own AMP in its upcoming mobile-first index?

Here we’ll take a look at the basic things you need to know in regards to search engine optimisation, a discipline that everyone in your organisation should at least be aware of, if not have a decent technical understanding.